Links in emails or SMS (smishing) leading to malicious downloads.
The developer, identified as (sometimes linked to the name Mohammed Naser Alfirtosy), has been active in the malware landscape for over eight years. Based in Syria , EVLF DEV is responsible for both CypherRat and its more advanced successor, CraxsRAT . These tools have been sold to over 100 distinct threat actors globally through surface web stores and Telegram channels like "EvLF Devz". Core Capabilities of CypherRat
The distribution and execution of CypherRAT rely on heavy obfuscation and psychological manipulation. 1. Delivery
devices. It was developed and sold by a threat actor known as , who has been operating out of for over eight years. Malware Profile Developer: EVLF DEV (also linked to the development of Distribution Model: Offered as a Malware-as-a-Service (MaaS) Cypher Rat Evlf
: It features "anti-kill" and "anti-delete" modules that make it extremely difficult for users to remove once installed. Some variants will even crash the settings page if an uninstallation attempt is detected. 4. Commercial Model
Furthermore, the malware utilizes these accessibility rights to establish . If a victim attempts to open their system settings to remove the malicious application, the background process detects the action and forces the settings page to crash, locking the user out of manual remediation pathways. The Unmasking and Current Status of EVLF
The developer, , has been active for several years, perfecting the art of creating malicious tools that can evade standard mobile security protections, including Google Play Protect. Key Capabilities and Technical Features Links in emails or SMS (smishing) leading to
The threat actor actively developed and maintained mobile malware platforms for nearly a decade.
Threat intelligence investigations published by cybersecurity firms like CYFIRMA reveal that EVLF has been active in the underground ecosystem for nearly a decade. Operating primarily from Syria, EVLF generated significant illicit revenue—estimated at over $75,000—by engineering high-tier mobile exploitation tools.
In indie games, ARGs (alternate reality games), or self-published cyberpunk fiction, authors create jargon for factions or tools. “Cypher Rat” could be a hacker alias; “Evlf” a group tag. A search on Steam, Itch.io, or fanfiction archives yields no matches. These tools have been sold to over 100
Cypher RAT was explicitly designed to leverage the vast amounts of telemetry and sensitive data stored on modern Android smartphones. Utilizing a dedicated builder engine, buyers could customize and obfuscate payloads to create tailor-made malicious packages ( .apk files).
By deploying keyloggers and screen-recording features, attackers could intercept banking credentials, cryptocurrency private keys, and multi-factor authentication (MFA) codes.